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Breach and Attack " 


> 


Security Testing Challenges 


Limited security 
assessment scope and 
Capabilities 


Red Team operations 


can get expensive 
are not scalable 


lack completeness 
across the enterprise 


Lack of confidence in the 
effectiveness of security 
control and investments 


Blue Teams struggle to 


* verify that security 
controls are configured 
correctly 


e evaluate the impact of 
new attacks on their 
security controls 
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Breach and Attack Simulation DASHBOARD SCANS ASSETS CAMPAIGNS mdani (admin271) 
| Filter by Asset Tags | Last 30 days Last refreshed 2 minutes ago 


AVAILABLE CAMPAIGNS TECHNIQUES 


Breach & Attack ET 
Simulation 


943 Σώπα" 


TACTICS OVERVIEW BY FAILING TECHNIQUES 


Playbook library of real- E 


— . BNguggl gg ud 
world TTPs (MITRE deni: a H 


ATT&CK™) 


ASSET BREAKDOWN BY SEVERITY TOP 5 FAILING TECHNIQUES 


Scale security assessments ` | 
H H 1 Exploit Public-Facing Application 84 | Hio | 
ἔπ ΙΙ y = 5 es . 
== 


Application Shimming 


Email Collection 


File System Permissions Weakness 


Continuously measure 
security control effectiveness 


x weakness.exploit msword.phish Jan 01, 2018 65 

over time À 22 τον | SES Sen e 
83 

hà. 73 


9: 4 weakness.compliance.password.reuse Jun 02, 2018 
D : 6 
exploit vulnerability.drupalgeddon2 Aug 23, 2018 


SCANS BY STATUS MOST FAILING CAMPAIGNS 


Technical > bel 


Approach Po e 


Centralized command-and- cE 
control framework using aus, eter 

upload <url> 
Cloud Agent 


Agents function as human EE 


survey 


acer des ον 


Non-destructive TTPs or T1190 - drupalgeddon2 


T1190 - apachestruts 


live exploits Execution: 


T1035 - psexec 
T1191 - cmstp 
T1173 - windde 


Persistence: 


Get 


Run 
Run 


Run 
Run 
Use 


Show 


Qualys Breach and Attack Simulation (v@.1) 


Description 


Show contents of a file 

Connect to an agent 

List connected agents 

d this help menu 

Kill an active agent connection 
List files in current directory 


current working directory 


Unzip a file 
Download a file from the asset 
Upload a file to the asset 


Show IP-MAC pairs from system ARP table 

Execute a command on the asset 

Scan and show status for top 1024 TCP ports on the asset 
Collect metadata about the asset 

Cleanup all traces of agent from the asset 

Exit the current agent connection 


the Drupalgeddon2 exploit 
the Apache Struts S2-057 exploit 


Psexec for command execution 
CMSTP.exe with a malicious .inf file for file execution 
DDE to run arbitrary commands 


>>> use 1 
+] Opening up live session with agent #1 (192.168.1.100) 
(agent #1) >>> drupalgeddon2 


Please provide a URL for a public facing Drupal webapp (https://corpdomain.tld/blog): 
Use Case: [20/Nov/2018] 13:54:50 PM [STATUS]: Testing for T1190: Exploit Public-Facing Application 
: 20/Nov/2018] 13:54:50 PM [T1190][INFORMATION]: Found public facing Drupal web host: https://corpdomain. 
tld/blog 
20/Nov/2018] 13:54:50 PM [T1190] [INFORMA |: Drupal 7.46 detected via https://corpdomain.tld/blog/CHA 


Takeover of external- tte 


[20/Nov/2018] 13:54:50 PM [T1190] [INFORMA 2 ]: Successfully exploited using Drupalgeddon2 exploit - CVE 


facing assets Sc on 
g [20/Nov/2018] 13:54:51 PM [T1190] [INFORMATION] : Dropped file: sda32fds.exe (SHA1: f47a48094c1f21fef892f2 


54 
7b8b6a7ed2bbfðc29g) 
Drupalgeddon2 (CVE-2018-7600) [20/Nov/2018] 13:54:52 PM [STATUS]: Waiting for connection from sda32fds.exe 
/Nov/2018] 13:54:52 PM [STATUS]: Connection received on TCP 32282 


wt 
PB 
uw 


20/Nov/2018] 13: 
7ed2bbfec29g) 
20/Nov/2018 


3 PM [STATUS]: Process infromation sda32fds.exe (SHA1: £47a48094c1f21fef892f27b8b6a 


E 
2 


DN Current QAttack agent privileges: user 

SYSTEMINFO]: Currently logged on user: CORP/user1 

SYSTEMINFO]: Operating system: Windows 7 SP1 (05 Build 6.1.7601) 

PM [SYSTEMINFO]: Processor: Intel (R) CORE(TM) i7-7700 CPU @ 3.60GHz 3.60GHz 
SYSTEMINFO]: Installed memory (RAM): 12.6 GB 

PM [SYSTEMINFO]: System type: 64-bit Operating System, x64-based processor 
[SYSTEMINFO]: Locale: EN-US 


Remote system discovery 


20/Nov/2018 


Exploit Drupal vulnerability NA Me 
to control system 1 


Now 
9 


co 
p 


20/Nov/2018] 1 


uU U1 U1 un) un un 


26/Νον/20618] 13:54:58 PM [SYSTEMINFO]: Computer name: THINKPAD-111991-M710 
H 20/Nov/2018] 13:54:59 PM [SYSTEMINFO]: Full computer name: T-111991-M710.corp.domain.com 
Laterally spread using 20/Nov/2018 13:55:06 PM [SYSTEMINFO]: Domain: πο j 
ETERNALBLUE / 13:55:01 PM [SYSTEMINFO]: Anti Virus installed: Yes Ν 
13:55:02 PM [SYSTEMINFO]: Anti Virus detected: Symantec Endpoint Protection Small Business 
30.2232 
13:55:02 PM [ST 3 :[ 11818: Found 3 neighbors using discovery module 


wow 


ov/2018 5:03 PM [INSPSURECONFIG]: Found SMB vi enabled on 192.168.1.101 
1/2018 5:04 PM [STATUS]: Testing for T1210: Exploitation of Remote Services 
20/Nov/2018 5:05 PM [EXPLOITSUGGESTER]: Launching ETERNALBLUE module against 192.168.1.101 


20/Nov/2018 
20/Nov/2018 
20/Nov/2018 
20/Nov/2018] 
RNALBLI UE 


:06 PM [T1210][INFORMATION]: Module ETERNALBLUE in progress 

Εχριώστ]: Sent 308B shellcode 

:07 PM [EXP 3 1: Module ETERNALBLUE successful. 

[LATERALMOVEMENT]: Pivoting from 192.168.1.10@ to 192.168.1.101 via Module ETE 


ΠῚ un un un VD 
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EXPOIT]: QAttack agent copy sent to 192.168.1.101 

:10 PM [INFORMATION]: QAttack agent information: sdfwe3223d.exe (SHA1: e41a48094c1f21 
2bbfec29g) 
:55:10 PM [STATUS]: All tests complete. 
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(agent #1) >>> 


Live View: Drupalgeddon2 we o | 


Search Options 


IDENTIFICATION TACTICS BREAKDOWN BY STATUS 


Drupalgeddon2 


Campaign: exploit.vulnerability.drupalgeddon2 Se 
Status InProgress ΠΒ ES = m = Ej g El Ἐξ 


Ge IP 192.168.1.100 

ma Hostname: https://corpdomain.tld 
STATUS Ü E Username: CORP/administrator 
Breached bag 192 168 1 Processor: AMD ThreadRipper 1980x 
Safe 


Privileges administrator 
Error 


OPERATING SYSTEM 
Windows 2012 


Window 


10 ENTERPRISE 


2 more Breached 192.168.1.101 THINKPAD-98689-M710 


[11/10/2018] 10:01:27 AM [STATUS]: Testing for 1 of 3 technique(s) - T1190: Exploit Public-Facing Application 

[11/10/2018] 10:01:28 AM [T1190][INFORMATION]: Found public facing Drupal web host: https://corpdomain.tld/blog 

[11/10/2018] 10:01:35 AM [T1190][INFORMATION]: Drupal 7.46 detected via https://corpdomain.tld/blog/ CHANGELOG. txt 
[11/10/2018] 10:01:43 AM [T1190][INFORMATION]: Successfully exploited using Drupalgeddon2 exploit - CVE-2018-7600 

[11/10/2018] 10:01:51 AM [T1190][INFORMATION]: Dropped file: sda32fds.exe (SHA1: f47a48094c1121fef892127b8b6a7ed2bbf0c29g) 
[11/10/2018] 10:01:52 AM [STATUS]: Waiting for connection from sda32fds.exe 


kerberos 
* Username : vswin2k8r2spibe$ 
* Domain : WORKGROUP 
* Password : (null) 

ssp 
Use case: crednan : 
mimikatz(commandline) # exit 


Credential Harvesting S 


20/Nov/2018] 
& Lateral Movements Rieti sind 
8c27f) 
ρω 1 
26/Νον/ 20618] 1 


PM [T1003] [INFORM 1 ]: End execution: mimikatz.exe 
PM [CLEANUP]: DeleT®® file mimikatz.exe (SHA1: d40a48094c1f21fef892f27a8b6a7ed2bb 


: Passwords extracted: 4 
: Test successful 


ww 


Uploading / running (agent #1) >>> cache 
mimikatz +] Showing current cache: 


[+] passwords: 
ategory: local 
ategory: local 
ype: wdigest 


ype: tspkg 
d Administrator 


Extracting stored credentials 


istrator 
XXXXXXX5 
omain: VSWIN2K8R2SP1BE 


Lateral movements 


ame: Admi 
sword: Abcxxxxxxx5 
omain: VSWIN2K8R2SP1BE 


ategory: local 

ype: kerberos 

ame: Administrator 
assword: Abcxxxxxxx5 
omain: VSWIN2K8R2SP1BE 


ategory: application: proxy 
ype: credman 
: ame: Administrator 


assword: Abcx κ5 
omain: VSWIN2K8R2SP1BE 


(agent #1) >>> | 


Use case: 


Credential Harvesting 
& Lateral Movements 


Uploading / running 
mimikatz 
Extracting stored credentials 


Lateral movements 


Domain: VSWIN2K8R2SP1BE 


Category: local 

Type: wdigest 

Username: Administrator 
Password: AbCXXXXXXX5 
Domain: VSWIN2K8R2SP1BE 


Category: local 

Type: kerberos 
Username: Administrator 
Password: AbCXXXXXXX5 
Domain: VSWIN2K8R2SP1BE 


Type: credman 

Username: Administrator 
Password: AbCXXXXXXX5 
Domain: VSWIN2K8R2SP1BE 


(agent #1) >>> lateral 
26/Νον/ 2618] 14:32:29 
26/Νον/2618 
[26/Nov/2018 


ASgfgd.exe \\ 
28/Nov/2818 


14:32:39 


20/Nov/2018] 14:32:39 
14:32:39 
14:32:39 

) 
20/Nov/2018] 14:32:40 


(agent #1) >>> | 


PM 


d PM 


PM 


28/Nov/2818 ΡΜ 
20/Nov/2018] 14:32:32 PM 
20/Nov/2018 4:32:33 PM 
20/Nov/2018 4:32:34 PM 
20/Nov/2018] 14:32:35 PM 
20/Nov/2018] 14:32:36 PM 
20/Nov/2018] 14:32:37 PM 
26/Νον/2018 4:32:38 PM 
20/Nov/2018] 14:32:38 PM 
psexec.exe (SHA1: e50d9e3b 
20/Nov/2018 2:32:39 ΡΜ 


PM 


2.168.1.101 -u administrator 


PM 
PM 
PM 


PM 


Category: application: proxy 


STATUS]: Testing for T1077: Windows Admin Share 
SHARE-SCAN]: Scasning for shares on: 192.168.1.101, 1 
[T1077 ] [INFORMA 3 Windows admin$ share detected on 
[11077] [INFORMATSeN]: Windows admin$ share detected on 
[T1077 ] [INFORMATION]: Admin shares enumerated 

STATUS]: Testing for T1078: Valid Accounts 
T1078][INFORMATION]: Testing for passwords retrieved using T1003 
STATUS]: Windowsmadmin$ share detected on 192.168.1.101 

T1078] [INFORMA 3 Credentials detected administrator : Abcxxxxxxx5 


STATUS]: Attemp g lateral movement using re-used credentials 
[STATUS]: Testing for T1035: Service Execution 
[T1035] [INFORMATION]: Read psexec.exe location from configuration: \\software\ 


d91908e13a26b3e23edeaf577Fb3a095 ) 
5][INFORMATION]: Attempting remote file copy: copy /y \\192.168.1.100\ds3 


T1035 ] [INFORMA 3 Ε 
ΑΡεχχχχχχχ» “C: \ds345gtgd.exe 

T1035][INFORMATION]: Test successful. 

[T1035 ][ INFORMATION]: End execution: psexec.exe 

[CLEANUP]: Deleted file psexec.exe (SHA1: e50d9e3bd91908e13a26b3e23edeaf577Fb3 


Running command psexec.exe -accepteula -nobanner -d \\19 


STATUS]: All tests complete. 


Live View: Password Reuse 


83 


Assets 


IDENTIFICATION TACTICS BREAKDOWN BY STATUS 


Pas rd Reuse 
Campaign: weakne :ompliance.pa vord.reuse 
Status InProgress ΒΕ 


Search Options 


TACTICS 
Initial Access 
Execution 


Persistence 


192.168.1.101 View details 


THINKPAD-98689-M710 
CORP/user1 


STATUS 
Intel (R) CORE(TM) i7-7770 


Breached 
Safe 
Error 


administrator 


Windw: 
Wir de 
Windov 0 ENTERPRISE 


2more Breached 192.168.1.101 THINKPAD-98689-M710 


[11/10/2018] 10:01:11 AM [INFORMATION]: QAttack agent initialized via QAgent. Process name: adfg32dsff.exe 
[11/10/2018] 10:01:12 AM [INFORMATION]: Current QAttack agent privileges: user 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Currently logged on user: CORP/user1 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Operating system: Windows 7 SP1 (OS Build 6.1.7601) 

[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Processor: Intel (R) CORE(TM) i7-7700 CPU @ 3.60GHz 3.60GHz 
[11/10/2018] 10:01:15 AM [SYSTEMINFO]: Installed memory (RAM): 12.0 GB 


Benefits 


Fully and continuously Empirically measure 
assess known and the effectiveness of 
emerging TTPs against security prevention and 
applications and detection tools 
operating systems Blue Teams configure 
Red Teams scale their current tools to perform 
operations to cover better 
more systems with more Gir lerrercuime mex ὁ 
security attack types replacement tools 
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Visibility 


Identity (X.509, Asset ID, Device ID) 
Device Hardware 

Network and Interactions 

Apps 

Analytics 


Security Posture 


© Qualys. 
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Secure Enterprise Mobility " 


Modified On: Sep 25, 2018 


EH» 


DASHBOARO INVENTORY USER PROFILES CONFIGURATIONS Qualys Demo (quays.qd) " © αι 
Q s or Last30 Days "| = 

LAST SEEN ASSET INFORMATION OPERATING SYSTEM STAT INVENTORY TAGS 

Oct 05, 2018 10:18 AMIST — Mark Android LENOVO Android Enrolled | Active J Android 
Corporate - Owned 7.0 865596033698730 1 mors 
Lenovo TAB 7 Modified On: Oct 05, 2018 

Oct 04, 2018 06:53 PM IST — Jack Android LENOVO Android | Enrolled — Active | Android 
Corporate - Owned 70 863854038393019 1 mon 
Lenovo TAB 7 Modified On: Oct 04, 2018 

Oct 04, 2018 06:46 PM IST — Andy. Android, LENOVO Android Enrolled | Active | Android 
Corporate - Owned 70 864557031194883 mor 
Lenovo TAB 7 Modified On: Oct 04, 2018 

Oct 04, 2018 06:44 PM IST — James iOS Apple ios Enrolled | Active [05 
Corporate - Owned 120 353779083466914 E 
Supervised iPhone Modified On: Oct 04, 2018 

Oct 04, 2018 06:33 PM IST — Richard, iOS, Apple ios | Enrolled | Active pos 
Corporate - Owned 125 359497088355545 À mo 
iPhone 8 Modified On: Oct 04, 2018 

Oct 03,2018 06:59 PM IST — Michael Android Motorola Android | Enroled - Active | Android 
Corporate - Owned 71.2 911503554758228 (E? 
Moto G (5S) Modified On: Oct 03, 2018 

Sep 28, 2018 06:15 PMIST — William, Android Asus Android ` Emoled - Active pen 
Corporate - Owned 70 358525085658221 1 mors 
Zenfone AR Modified On: Sep 28, 2018 

Sep 25, 2018 06:10 PM IST — Charles Android Asus Android ` ra | Active [ού 
Corporate - Owned 711 351558072379425 1m 
ZenFone Zoom 5 
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Md Asset Summary 


System information 
το Station10 Tabl LENOVO reame 
Android v7.0 
Apps Lenovo Manufacturer / Lenovo TB-7504X 
CA Certificates. 
Security Tokens Status GRC Unauthorized Root Access 
boe DR “Non Corp en ο 
Location Passcode Present Encryption Profiles 
Actions EEE ESCH 9 
Identification Activity 
Asset Name Lenovo TB-7504X Last Seen Nov 14,2018 1205 PM PST 
Status Enrolled Enrolled On — Oct 9, 2018 1129 AM PST 
Mode Active Modified Om Oct 10,2018 1129 AM PST 
Ownership. Corporate - Owned 


Last Location 


Fuquay-Varina, North Carolina United States 


Username fCgbjeos Last Seen: Nov 14 2018 1205 PM PST KE 

IP Address 7165232 M a 
User Emad - ? 
Enrolled with AFW Yes 


QSC Conference © Qualys. 


@ Qualys. Enterprise 


Asset Details: Station10_Tab1_Lenovo 


DETECTED ON 


Nov 09, 2018 09:30 PM PST 


com. acme.auto service booking — 17 (2) No 
ACME Customer Feedback com.acme cust feedback 1ο) No Found Nov 09, 2018 09:30 PM PST 
Device Apps (13) 

1-13 of 13 

MM DENT R VERSION Ar M APP X LOCAT MSTA ) ON ACTION 
TeamViewer com teamviewer teamviewer marke 14.0.35 (140035) No No Nov 09, 2018 04:37PM PST Uninstall 
inkwire com koushkdutta gege 1.0.1.7 (1499133600) Νο No Nov 09, 2018 0423 PM PST Uninstall 
Gboard com google android inputmethod | 77.12219989447(2.. Yes No Now 09, 2018 12:49 PM PST 
Gmail com google android gm 81021220197835r. Yes No Now 09, 2018 12.49 PM PST 
oneAssistant nfo oneassist v25 (25) No No Nov 09,2018 1232 PM PST Uninstall 
Home com.google. android apps.chromec.. 2.6.6.19 (20606190) Νο No Nov 09,2018 10:12 PM PST Uninstall 
Maps com.google android apps.maps 10.3.1 (1003101040) ves No Now 08, 2018 10:26 PM PST 
Google Play Movies &TY com google android videos 48.20.18 (40820181) Yes No Now 06, 2018 10.40 PM PST 
Gallery com onepius gallery 21010(22270465) Yes No Nov 06, 2018 10:40 PM PST 
Drive com google android apps docs 2184320440(1843. Yes No Now 06, 2018 10:39 PM PST 
SnoopSnitch de silabs snoopsnitch 2.0.7 (35) No No Nov 05,2018 1202 PM PST Uninstall 
YouTube com google android youtube 1344 51(134451340 Yes No Now 05, 2018 11:38 PM PST 
Google Play Store com androsd vending 12414al|o][PR] 21. Yes No Nov 05, 2018 11:35 PM PST 
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Security 


Vulnerability Management 
Asset Lockdown 
Asset Hardening 


Enterprise Integrations 
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Compliance Policies 
- On Enrollment 
- Continuous Monitoring 


Protection Enforcement and Remedial Actions 


Policy Management 


Containerization 
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onferer 


© Qualys. Enterprise 


Locks the screen of the asset. Asset will be unusable until it is unlocked 


Send 3 message to the user of the asset The message will be sent as a Push Notification 


Poll Mode: Asset will communicate to the Qualys server after the specified regular interval. 
Push Mode: Qualys server will communicate to the asset only when a new action is scheduled for the asset 


Asset will buzz and current geo-location will be sent to the server, provided Location Services are enabled 


Sync on demand asset information. 


Asset will be de-errolided and server will not be able to communicate with the device. Also, corportae data on the 
asset will bo deleted. 


Asset will be factory reset. Server will no longer be able to communicate with the asset 
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Privacy 


DIY Portal 
Audit Control 
Ownership (Corporate/BYOD) 


Transparency 
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Feb 2019 - Closed Beta 
Roadmap 


Multiple releases during 2019 
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Security Analytics and Wi |: 


p 


Security Analytics & Orchestration 


Human Guided Policy-Driven 


Response Response Correlation Cross-Product Correlation 
& & 
Playbooks for Bi-Dir Ecosystems Orchestration Enrichment Additional Context from 3'4 Party 
Integration Sources 


BY OP- Bring-Your-Own-Playbook Detect KNOWN threats w/ out-of- 


box rules 


Advanced Analytics 


Detect UNKNOWN threats Using Machine Learning 
Hacker Behavioral Analytics 


Predictive & Prescriptive SoC 
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Security Analytics & Orchestration Apps 


ML/AI Service Orchestration & Automation UEBA 
Patterns | Outlier | Predictive SoC Ecosystems Integration | Playbooks | User & Entity Behavior Analytics 
Response 
Threat Hunt Security Analytics Advanced Correlation 
Search | Exploration | Behavior Graph Anomaly | Visualization | Dashboard Actionable Insights | Out-of-box Rules 


Qualys Security Data Lake Platform 


Data Ingestion | Normalization | Enrichment | Governance 
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Network ` Security Server Endpoint Qualys Apps Apps Cloud Users 


Qualys Quick Connectors 
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Characteristics of Data Lake 


Collect Anything Dive in Anywhere Flexible Access 


Future Proof 


What is Security Data Lake? 


Single data store (single source of truth) 
Structured and unstructured data 


Data is transformed, normalized, and enriched 


Threat Intelligence feed integration, GeolP etc. 


Data has governance, semantic consistency, and access controls 


Store-once / Process-once / Use-multiple 
Apps, dashboards, data analytics 
Cross product search, reporting, visualization 
Machine learning, forensics, etc. 
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Simplified View 


SECURITY 
LOGS FROM 
MULTIPLE 
SOURCE 


BEHAVIOR 
ANALYTICS 


[οἱ Ke) U}p) 
CONNECTORS 


THREAT 
HUNTING 


DATA DATA 
VALIDATION AGGREGATION VISUALIZATION 


SECURITY 
ANALYTICS 


DATA ML/AI RESTFUL API 
BE R NORMALIZATION MODELLING SERVICES 


LOG 
CONNECTORS 


ORCHESTRATION 
AUTOMATION 


3RD PARTY 
INTEGRATION 


QUALYS SECURITY DATA LAKE PLATFORM 


AD/LDAP/HRMS | 


Se © Qualys. 


FIM, IOC, Patch 


Cloud Agent 


: API 
Gateway 


Qualys Apps 


| Graphs/Topology | Reports | | Dashboards | Search & correlation Cyber threat hunting | 


Orchestration, Automation & Alerting Anomaly detection User & entity behavior analytics 


πας 


corbada 


VM/PC/ITAM/HDS ! 


L em = = = = = mm mm = = = mm mm = = = mm rm 


Map/Filter/Join 


| presto . EE druid Dgraph 


I 
Validation + Data Profiling Spark I 


Data Marts 


Generate 
Cubes 


Aggregation 


ML 
processing 


Ι 
I 
I 
Ι 
Dimension + I 
I 
Ι 
I 
I 


HE 


APACHE 


Apply 
validation 
rules + 
cleansing 


Apply any 
cross ref 
validations 


Normalize 


Meta data Enrichment 
sync pipeline 


E es rm rm rm rm rm rm rm rm rm = 


Object Storage 


=== = = = = = = = = = == d 
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